npatterson · IT Manager

The newest Release candidate has the time group edit built into html 5 so there is the next best option (2023.4RC1)

An easy way to understand is to edit the alert from the config event groups option This will show all the triggers that go into inferred alert for a better understanding of sources.

Honest the new RC version with save you a lot of time as reports are not HTML 5 and do not need to use Crystal reports ever again. I running 2023.4RC1 which actually solves tons of issues regarding reports.

I agree this is more orion product as this is network performance monitoring that is security related. You can pull this data with a Windows performance monitor as well if you're in microsoft OS. There are other products that will work with solarwind and others I recommend reaching out to your rep for trials if need be I…

Short-term solution add host file entry to resolve hostname name to IP address. Uninstall agent on server and delete node on Sem start again to see if connection could be made looks like a possible DNS issue. make sure that no addition firewall rules are block the tcp port mention in the install of agent for outgoing rules.

I had a similar issues after upgrading old agent work by new agent didn’t. In my case I upgrade to release candidate RC instead of regular release. So we ran upgrade fixed the agent issue secondly I add more ram as my SEM was hitting my threshold of 80%. After that was resolved no more issues.

1. Ensure you enable additional logging on the AD server for success and failure which is not by default. reference MS security Baseline if your not sure. 2. if you have an LDAP connection setup import directory groups to filter by department(depends if you setup your AD this way). 3. I set up a reverse proxy with a public…

I do not think so As this is not sent parsed via the current M365 connector the location data is stored from the login and this is broken down into interactive and non-interactive. The Microsoft Audit only gives the Public IP in Extranseous Info and Source IP. You have to combine it with another product to enrich the data…

Edit time groups are not straightforward and will go through the steps to achieve this. First, this has not been ported over from the older LEM interface this must download the console tool This is under the optional Download Adobe Air Console Open the SolarWinds LEM Console This will bring up the old console Under Build…

I agree that is the next step you must have admin not admin not monitor or auditor. The screen I shared before is from 2022.4

I have filtering rules on TCP 6568 This is the default port for anydesk so I have firewall rule(outbound) send a syslog to SEM and configure a rule to alert. could also use agent but the above approach cover entire network agentless

What version of SEM are you currently running in 2022 Version is should be seen as above

There is a workaround to this as I use a reverse proxy in front and apply the Wildcard on the Reverse proxy instead of SEM. I current do this for my production as I collect data from the remote computer this way.

You could determine when a command prompt is raised to the administrator by actual commands would be hard as this requires first checking if there is a log option for that command built into windows and then determining if the SolarWinds connector is configured to detect these logs. If they do not then you have to raise a…

Try also filter by tool alias to see which connector are the most noisy that will pin point the connector giving you the issue.

This is done at the firewall level or router level using syslogs. Do you have any IDS/IPS setup that will allow for more granular logs such as geolocation and better dynamic filter of applications traffic specifically (for example TeamViewer web traffic)

You must make sure the GPO for audit login if set for logging. Check if your security event log shows the event Next check if the user defines group is set up for domain admins for this the active directory configuration is required to pick the groups. if just filter you can filter by directory service group only rules do…

Hello depending on the firmware version of your FortiGate I go to the log settings menu left sidebar, then go to log setting section and make sure both event logs and local traffic logs are set to all and Syslog set to SEM. I monitor about 8 Fortigates with no issues. Hope this helps.

Check if the device failing is registered as a hybrid under azure active directory devices. This happens if an old device is attempted to log in using an expired password. I have the hybrid environment as well and found the initial so old devices that registered I simply deleted them in the azure ad and fix the issue.

You can monitor the majority of what you're asking but please note this will required to enable additional audit policy controls that are not turned on by default. Logon and off YES installation of software yes cmd PowerShell must enable more audit controls the most time the ad username is presented in transactions. UEBA…

You can not make your own connector and must put a requested feature. The reason for this is to ensure compatibility with SEM. You can modify existing connectors if you know REGEX but considering any update to the connector with override your changes so not recommended either. Simply the answer is no at this time. please…

In Most Cases, the extraneous info has information that can not be parsed correctly so I would first filter by tool alias for the Linux connector and then do a filter search using wild cards "*hostname [name]*" you can make a custom filters and rules for particular machines would help in the log run.

import via CSV is the best approach for batches or having a database such as LDAP will work too.

This is not an option as the filter for connection are stored in C:\Windows\SysWOW64\ContegoSPOP\tools. If your good regex you could modify but this will be erased when the connection is updated by SolarWinds If you looking in connect under Wrapper ID it will tell you how many time was updated under rev #

Question is this Standard FTP(s) or is this SFTP the reason is the SSH for SFTP shows in syslog while FTP shows differently in the logs I do not use Cerberus FTP but might want to check the logging of FTP is enabled for login and outs.

For Not agent devices there are several options. 1. User defined groups this is static and need to update when adding\removeing\replacing devices work quite well 2. You can filter by tool alias for the connector it comes in on which is more dynamic and if you have serveral of the same device there are already groups by a…

Thanks for the idea I test this with the Test domain for the use case and let you know.

The problem I have is LDAP users can not have admin privileges. MFA only works on LDAP users currently. Not on domain users as it authenticates via MFT not DUO.

I have 2 global accounts for the administration of all domains. I have 3 domains account set up for customers, internal employees, and testing. 2 global admins have complex passwords and have alerts when logged in to my email. Customer domains are setup to an LDAP server configured for customers we have Employee domain are…

this is for ftp and web based with no issues.